The US Government’s Plans for Your Anonymity and Identity Online « An Associate's Mind

The US Government’s Plans for Your Anonymity and Identity Online

The latest Fast Company has a story about the emergence of a “Sharing Economy,” and the necessity of trust:

The challenge that worries everyone in the sharing world, of course, is trust…”Sharing of the kind we’re talking about really only works when there’s reputation involved,” says Freestyle’s Felser. “We haven’t seen any mass-market approach to combining distributed trust and sharing.” Most sharing platforms try to combat this issue by building a self-policing community. Almost all require profiles for both parties and feature a community ratings system.

But these ratings would carry far more weight if they traveled with you across the web… Startups like TrustCloud would like to become the portable reputation system for the web. The company is building an algorithm to collect (if you choose to opt in) your online “data exhaust” — the trail you leave as you engage with others on Facebook, LinkedIn, Twitter, commentary-filled sites like TripAdvisor, and beyond — and calculate your reliability, consistency, and responsiveness. The result would be a contextual badge you’d carry to any website, a trust rating similar to the credit rating you have in the offline world…

Emergent By Design has also discussed Facebook developing into an arbiter of trust on the Internet:

“Increasingly as we move later into the decade, physical currency will be harder to differentiate from virtual currencies like Facebook Credits,” said Brett King, author of Bank 2.0. “We’ll start to see a new economy emerging through social media where virtual currencies will be a very real part of the way people trade and sell information, collaborate on ideas and value various products and services.”

…

Every time you upload a photo, make a comment, add a friend, click a link, or make a purchase, that data is being harvested to create a map and a simulation of you. This is tremendously valuable information, and Facebook gets that.

…

If the trend continues where logging in via your Facebook profile is the simple method for verification, some speculate this could lead to Facebook evolving to being an actual utility for identity…After all, if people are willing to trust sensitive data to Facebook, companies could use that info to offer better rates on car or health insurance, or help you secure a loan, via the platform. While this could seem convenient for the average user, it does carry serious implications in terms of how governments will respond.

The “Identity Ecosystem”

In an effort to develop trust and promote security the US government wants to help foster and develop “The Identity Ecosystem.”

An online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices.

The Identity Ecosystem has four principles:

Identity solutions will be privacy-enhancing and voluntary

Identity solutions will be secure and resilient

Identity solutions will be interoperable

Identity solutions will be cost-effective and easy to use

This system will not be created or managed by the US Government but rather be guided and shaped by the government through the development of standards, interoperability, and the like. Instead, the US Government wants the private sector (Facebook, Google, Amazon, TrustCloud, banks, etc) to take the lead role and develop differing levels of trusted identities. These private actors will become government approved Identity Providers (IDPs) who will provide unique digital identities for users.

There will also be Attribute Providers (AP) that will confirm, bind, assert, and issue attribute information about a subject (user or device).

The government envisions the Identity Ecosystem as a solution to the perceived lack of security and risk of fraud in online transactions. But there are two other looming factors not mentioned throughout the report and that are coming to online transactions in one way or the other: taxes and tracking. Governments want to do both. They want tax revenue, which electronic commerce often slips by, and they want to know what “the bad guys” are doing. Look no further than the backers of the (NSTIC):

Goals and Benchmarks of the Identity Ecosystem

Proponents of the Identity Ecosystem will note that participation is not mandatory and that it is an opt-in program, however, if you dig deeper into the (NSTIC) it’s goals are clearly laid out:

The public and private sector will use awareness and education programs to encourage demand for the Identity Ecosystem and to inform its use Awareness efforts will help inform individuals and organizations about the security and privacy risks associated with existing, weak authentication mechanisms.

Integrate the Identity Ecosystem internationally. Given the global nature of online commerce, the Identity Ecosystem cannot be isolated from internationally available online services and their identity solutions.

Even more telling are the benchmarks established to determine whether or not the system is a success:

Interim Benchmarks (3-5 years)

There exists a growing marketplace of both trustmarked, private-sector identity providers at different levels of assurance and private-sector relying parties that accept trustmarked credentials at different levels of assurance. This relying party population is not confined to just one or two sectors.

The number of enrolled identities in the Identity Ecosystem is growing at a significant rate, and the number of authentication transactions in the Identity Ecosystem is growing at least at the same rate.

Longer-term Benchmarks (10 years)

A majority of relying parties are choosing to be part of the Identity Ecosystem.

A majority of U S Internet users regularly engage in transactions verified through the Identity Ecosystem.

A majority of online transactions are happening within the Identity Ecosystem.

So in ten years, the US Government envisions that the majority of Internet users will be using a online identity system whose underlying structure has been developed in conjunction with the Department of Commerce and the Department of Homeland Security. And while participation is voluntary at the moment, what about in ten years when the majority of Internet users are participants in the system as the US government imagines? Will Amazon or a bank refuse to do business with users who don’t participate in the programs?

The Identity Ecosystem and Electronic Discovery

Here is a depiction of the Identity Ecosystem from the (NSTIC):

A case comes across your desk involving any type of online transaction or communications, litigation ensues, and you proceed with discovery. Who has what information? Bits and peices of individuals’s identities are going to be strewn about dozens of systems. Where are all these systems located? These systems will not exclusively be in one state or even country. Who do you subpoena in the above illustration and how? If a dispute arises in the United States, and relevant data is stored in Ireland and India – whose law applies? In this Information Ecosystem a dispute over a transaction at Starbucks could involve multi-national electronic discovery.

The companies that provide Identity Ecosystem services as well as companies that participate in the system will need clear policies and procedures in dealing with any litigation that may arise within the system.

The Future of Online Identities

Despite any reluctance citizens may have about the Identity Ecosystem – it is coming one way or the other. The Internet has existed in a sort of “wild west” vacuum of control and authority for a long period of time but it is probably coming to an end. The Internet has become too important and vital to business and government to allow it to continue to march forward without firmly establishing a method of uniquely and accurately identifying users online. Business wants it. Governments want it. Even citizens want it.

People want to know that they are secure in dealing with their bank, purchasing a book on their Kindle, or swiping a Smart Card (or phone) at a vending machine. And while the NSTIC certainly discusses anonymity…it’s hard to envision it actually existing in the Identity Ecosystem. But if the Internet has shown itself to be one thing, it would be that it is resilient and adaptive in the face of change and threats to it’s structure. I can imagine a black market economy developing on darknets such as Freenet for users who truly want to protect their identity online. These black market ecosystems already exist – look no further than Cydia, the black market app store for jailbroke iPhones.

Regardless, change is coming to the Internet. The question is if people are ready, or even aware of it?